Vietnamese malware : ‘Single post’ enough to trigger spyware attacks against U.S. bloggers, EFF claims

A Californian blogger was among victims of a malware attack which targeted critics of the communist state in Vietnam, as well as staff at U.S. privacy group Electronic Frontier Foundation.

A Californian blogger was among victims of a malware attack which targeted critics of the communist state in Vietnam, as well as staff at U.S. privacy group Electronic Frontier Foundation.

A single anti-government blog post is enough to trigger personalized spyware attacks from hacker groups supporting the Vietnamese communist state, which the Electronic Frontier Foundation claims targets anti-government bloggers – even those in other countries – with malware, including its staff, and Californian activists.

“EFF is greatly disturbed to see targeted malware campaigns hitting so close to home,” the group said, after emails targeted its staff with spear-phishing attacks delivering malware.

A Washington Post report described how democracy activist Ngoc Thu, a Californian blogger, ‘sensed’ something was wrong with her PC – and that, as she described it, “somebody was there.” Just days afterwards, her personal emails and photos appeared on the blog, mixed with offensive messages – and she was locked out.

Activists from the Vietnamese Blogger Network are currently touring America to draw attention to the state’s recent crackdown on dissenting voices, according to a report by Voice of America.

A recent report by Voice of America said that the state was the fiifth-biggest jailer of journalists in the world, and “was holding 18 journalists, up from 14 a year earlier, as authorities intensified a crackdown on bloggers, who represent the country’s only independent press.” The figures were based on an annual report by the Committee to Protect Journalists’ annual report on repressive regimes.

The EFF alleges that pro-government cyber attackers have used malware to target EFF staff, plus a Vietnamese mathematician, activists and journalists.

In a blog post released this week, the group said, “For the last several years, the communist government of Vietnam has used malware and RATs [Remote Access Tools, powerful software which can remote-control PCs – demonstrated by ESET’s Stephen Cobb here] to spy on journalists, activists, dissidents, and bloggers, while it cracks down on dissent,” the group said.

The new campaign, though, used highly targeted attacks aimed at specific critics of the government – including EFF staff.

“On December 20th, 2013, two EFF staffers received an email from “Andrew Oxfam,” inviting them to an “Asia Conference,” and inviting them to click on a pair of links which were supposed to contain information about the conference and the invitation itself,” the group said in its post.

The malware was sent out as a link to a Google document, and was sent in emails tailored to targets – the activists were invited to a conference, and an Associated Press journalist was offered a white paper from Human Rights Watch.

“Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences. For greater verisimilitude, the attacker should have included an offer to pay for flights and hotels,” the group commented.

“Several registry changes are made to enable the malicious implant to persist after reboot,” the group said, and says that it initiates a connection  to domains linked to earlier malware attacks against Vietnamese bloggers.

“Examining this malware reveals a relationship to earlier campaigns targeting Vietnamese activists,” the group said, “A prominent Vietnamese pro-democracy blogger living in California was successfully targeted by this attack, which led to the compromise of her blog and the invasion of her private life.”

“The group behind these attacks appears to have been operating since late 2009, and has been very active in the targeting of Vietnamese dissidents, people writing on Vietnam, and the Vietnamese diaspora. The appears to be the work of a group commonly known as “Sinh Tử Lệnh” and while it has been anecdotally claimed to be the work of Chinese actors, it seems to be more likely the work of Vietnamese targeting Vietnamese.”

The Vietnamese government’s targeting of those who express opinion has drawn sharp criticism.

Writing for The Register Citizen, the Washington Post’s Jim Hoagland says, “In Vietnam alone, 34 bloggers are in jail for expressing opinions,” he writes, “We live in an era of counterrevolution. For nearly three decades, the globalization of dissent, instant information and political self-empowerment helped overturn scores of dictatorships. But like the European monarchies of the early 19th century, the surviving autocrats are fighting back, often using scorched-earth tactics.”

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center